The use of networks is widespread. Millions of people connect daily to a network, such as the Internet. Networks have become commonplace and essential to communicate with others, exchange data, or perform business activities, for example. With the rapid growth in the number and type of devices and terminals accessing the Internet, users can potentially use devices having the capability of attaching via different multiple access media and technologies to interface to the network. However, as more people utilize the convenience of communication over a network, there has been an increase in the concerns for security over the network. For example, a user may wish to communicate with another user without the risk of a third party intervening or eavesdropping. Secure communication is also necessary for many business activities such as accessing an account over the network or accessing private information, either of which may be a wired or a wireless network. A user attempting to access his private account information over a network would desire his private information to be accessed only by authorized individuals without the threat of eavesdropping or tampering by unauthorized individuals.
The Internet lacks security and many of the protocols used in the Internet do not provide any security at all. Hackers have tools to sniff passwords off of the network leaving unencrypted passwords being sent over the network extremely vulnerable. Also, some client/server applications rely on the client program to provide the identity of the user who is using it. As there might be no verification process, a hacker may misidentify himself to gain unauthorized access to private data. Some applications allow the user to self-restrict himself to only perform activities that the user is permitted to do. In these applications, there might be no enforcement which might lead to breaches of security if the user is not completely honest. Thus, network access technologies have been evolving rapidly to meet the need for network security.
In response to security concerns, methods and protocols were devised to provide for network access authentication. The Transport Layer Security (TLS) protocol was derived from SSL and has been used to provide privacy and data integrity between two communicating applications by providing certificate-based peer authentication. Thus, TLS provides secure communication over a network. HTTP was originally used freely on the Internet without regard to security of sensitive material. However, increased use of HTTP for private applications necessitated that measures be taken to ensure security. Using the TLS protocol, a client initiates a connection to a server and begins a TLS handshake. After the TLS handshake is complete, the client initiates the first HTTP request. The HTTP data is sent as TLS application data. As an example, a user may access his bank account over the Internet through secure HTTP. Secure HTTP uses the TLS protocol secure transport mechanism such that unauthorized users may not access the private information.
The TLS protocol provides a secure communication channel between peer entities. The peer entities may authenticate themselves to one another by the use of a shared secret key between the two peer entities in the connection in which the peer entities exchange key information. Public-key based technology and cryptosystems, such as the Diffie-Hellman key agreement protocol or the RSA cryptosystem, are used to share and create the secret key. For example, each of a first and a second user generates a corresponding private value drawn from a set of values. Using the private values, each of the first and second users generate and exchange corresponding public values to compute a shared secret key. The secret key provides authentication for the authorized users such that the communication between the first and second users is protected from unauthorized users who do not possess the secret key.
In addition, TLS further provides for session resumption under-certain circumstances. If a secret key has already been established, TLS supports rapid session resumption within an application that uses the TLS for securing the communication channel between the communicating entities using the already established master secret key.
Extensible Authentication Protocol (EAP) was also developed in response to an increasing demand for user authentication for remote access users. EAP is a general protocol that provides, a framework for various network authentication methods. Originally developed to support PPP authentication, EAP has been expanded to support other authentication protocols such as for wireless LAN access, layer 3 network access, layer 2-based network technology, PANA (Protocol for, Carrying Authentication for Network Access), or 802.1X for example. Some authentication methods support carrying TLS messages for establishing a secure channel between a client and an authentication server. Passwords or other data may be carried with the encryption over the secure channel. EAP selects a specific authentication method during the authentication phase so that an authenticator may request more information before determining the specific authentication mechanism to be used. EAP authentication methods that support carrying TLS messages include EAP-TLS (Extensible Authentication Protocol-Transport Layer Security), EAP-TTLS (Extensible Authentication Protocol-Tunneled Transport Layer Security), or PEAP (Protected Extensible Authentication Protocol), for example.
EAP authentication methods that support TLS messages may support fast re-authentication based on TLS. For example, the Odyssey system developed by Funk Software provides wireless LAN authentication based on 802.1X and EAP-TTLS. The system uses TLS session resumption for fast re-authentication when clients roam within a single layer 2 technology, for example, among 802.11a or 802.11b access points. However, this scheme does not provide for flexible roaming among defined technologies such as roaming between wireless LAN and server based network or roaming between wireless LAN and wired Ethernet, for example.
There is currently no known method or system for permitting clients to roam among multiple layer 2 technologies with fast re-authentication while maintaining security (i.e., interlayer TLS sharing). There is also no known method or system for performing multiple levels of authentication and access control at different layers. Enabling fast re-authentication across multiple layers or different subnets in one or, more layers would provide greater convenience to users during re-authentication by providing a more rapid secure authentication.
Thus, a need exists in the art for a method and system for providing fast re-authentication across different layers or providing fast re-authentication across different subnets in one or more layers.